Malware Analysis Report

2024-10-18 23:06

Sample ID 240726-j2brvszcje
Target 733cc93422d62025264bc2fe1803e4bd_JaffaCakes118
SHA256 207380fbc12ac3c9bd75ae48693ccfae68d00783dd4299152b425828ecfc98a0
Tags
ardamax discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

207380fbc12ac3c9bd75ae48693ccfae68d00783dd4299152b425828ecfc98a0

Threat Level: Known bad

The file 733cc93422d62025264bc2fe1803e4bd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger stealer

Ardamax

Ardamax main executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 08:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 08:09

Reported

2024-07-26 08:17

Platform

win7-20240704-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Sys\svchost.001 C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File created C:\Windows\Sys\svchost.006 C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File created C:\Windows\Sys\svchost.007 C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File created C:\Windows\Sys\svchost.exe C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Sys C:\Windows\Sys\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Sys\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\Sys\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Sys\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe"

C:\Windows\Sys\svchost.exe

"C:\Windows\Sys\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe

"C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@F71B.tmp

MD5 a9680f653434b4766fdc2a3c592af879
SHA1 fd8e999c43fa83df3144aa5bbaae73bac3834296
SHA256 30e084f531980a35b79dd36ac9ee0022d0aba792da99b3d71eea26d327db9ad3
SHA512 685fe7bbaf9fe5d140f07e9fe0f1eff0cecf8a3a4d050fe917ce8eddac3394ab7b8cea575e2d6f3dace309716662fbb5a9016850b120ea2099a00cfc848f57ac

\Windows\Sys\svchost.exe

MD5 4db1b69341dc88b901d85be34278a634
SHA1 0d55d2852a58b597c96c1dcec25efc961d882ba1
SHA256 c3f29e3f8b9eb7c20a0046fc105d2199dc5327a570e8c76908e44be1200fb893
SHA512 e11ee43c65179a562254cc63fda5c25ae228603bd88fd357faea2a5b49b4df11dfde5efe46544ac138d008cdffc419c793b35781ef201a9462a9eda30b52dee0

C:\Windows\Sys\svchost.001

MD5 1ea34b65a76c886b4715529accb951c1
SHA1 877f9f7b8cf9a1ea60fa03c68cccdacc6727cfcb
SHA256 06bbe70967cb80ca6e4868700f3224ef29063d6c40c621009e29f5e49e486487
SHA512 c0920effaf0360b5ce22cddd1bcd93ac3c09eafe9362b396e8862731cb1389b891d2d7f43493ff22033282067651880ae6e8ac66e943617b3d7b1185733de18b

C:\Windows\Sys\svchost.007

MD5 50c8c542dca77df82f5925b145567611
SHA1 64bdce386146e3548d3d85cf16fdd0d34cbafe2f
SHA256 0692f76ec589e517f0a5205e658ca44656322c0382cee2af53890324818b3e0f
SHA512 f7df5e9ac0c81f832e8dfe882eb1c4746f30131bef5a56947634146c813df079acd57b3fc954254684c6f4ef291802cd9629e6af3ced9be1f381fdd858a327c2

C:\Windows\Sys\svchost.006

MD5 ff2bc313174a6ccfe1e0b5b1a58f0f49
SHA1 4e983cdee788faf6a13a9d5bf3f00f4a17dd6e8e
SHA256 f212c83897599d81f4010f1ef3a43e5709e874912072d38d26a5ef5644462318
SHA512 418083066ba5505267f4de91c9e439674e02645c430360dae22dfc390c33b4e0c01857634d1dcb5dc298c296a5f4130397388bceee2ad82ba0a711ab56d1bd0f

memory/2820-21-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2820-24-0x000000007711F000-0x0000000077120000-memory.dmp

\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe

MD5 6943942c70c5fb2552cc6022d678016e
SHA1 c36d6fd28f68bd9f6272cc8f82e48a1ac412e828
SHA256 43e86f47f25c03000a1d60ebe6ea29b4329c24141813ffaa606e6e4bda2aa8ef
SHA512 9451b708489ae38de12a0a1ec9e562e7249fd5a254760ba318564c0bf75307b6b0566d3048604b44a322772991e04ea5a641d71f9fc8486482b7f988572167ec

memory/2908-38-0x000000007711F000-0x0000000077120000-memory.dmp

memory/2820-40-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 08:09

Reported

2024-07-26 08:18

Platform

win10v2004-20240709-en

Max time kernel

135s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Sys\svchost.001 C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File created C:\Windows\Sys\svchost.006 C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File created C:\Windows\Sys\svchost.007 C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File created C:\Windows\Sys\svchost.exe C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Sys C:\Windows\Sys\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Sys\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\Sys\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Sys\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A
N/A N/A C:\Windows\Sys\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\733cc93422d62025264bc2fe1803e4bd_JaffaCakes118.exe"

C:\Windows\Sys\svchost.exe

"C:\Windows\Sys\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe

"C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\@AE70.tmp

MD5 a9680f653434b4766fdc2a3c592af879
SHA1 fd8e999c43fa83df3144aa5bbaae73bac3834296
SHA256 30e084f531980a35b79dd36ac9ee0022d0aba792da99b3d71eea26d327db9ad3
SHA512 685fe7bbaf9fe5d140f07e9fe0f1eff0cecf8a3a4d050fe917ce8eddac3394ab7b8cea575e2d6f3dace309716662fbb5a9016850b120ea2099a00cfc848f57ac

C:\Windows\Sys\svchost.exe

MD5 4db1b69341dc88b901d85be34278a634
SHA1 0d55d2852a58b597c96c1dcec25efc961d882ba1
SHA256 c3f29e3f8b9eb7c20a0046fc105d2199dc5327a570e8c76908e44be1200fb893
SHA512 e11ee43c65179a562254cc63fda5c25ae228603bd88fd357faea2a5b49b4df11dfde5efe46544ac138d008cdffc419c793b35781ef201a9462a9eda30b52dee0

C:\Users\Admin\AppData\Local\Temp\Auto Alcher v1.3.exe

MD5 6943942c70c5fb2552cc6022d678016e
SHA1 c36d6fd28f68bd9f6272cc8f82e48a1ac412e828
SHA256 43e86f47f25c03000a1d60ebe6ea29b4329c24141813ffaa606e6e4bda2aa8ef
SHA512 9451b708489ae38de12a0a1ec9e562e7249fd5a254760ba318564c0bf75307b6b0566d3048604b44a322772991e04ea5a641d71f9fc8486482b7f988572167ec

C:\Windows\Sys\svchost.007

MD5 50c8c542dca77df82f5925b145567611
SHA1 64bdce386146e3548d3d85cf16fdd0d34cbafe2f
SHA256 0692f76ec589e517f0a5205e658ca44656322c0382cee2af53890324818b3e0f
SHA512 f7df5e9ac0c81f832e8dfe882eb1c4746f30131bef5a56947634146c813df079acd57b3fc954254684c6f4ef291802cd9629e6af3ced9be1f381fdd858a327c2

C:\Windows\Sys\svchost.006

MD5 ff2bc313174a6ccfe1e0b5b1a58f0f49
SHA1 4e983cdee788faf6a13a9d5bf3f00f4a17dd6e8e
SHA256 f212c83897599d81f4010f1ef3a43e5709e874912072d38d26a5ef5644462318
SHA512 418083066ba5505267f4de91c9e439674e02645c430360dae22dfc390c33b4e0c01857634d1dcb5dc298c296a5f4130397388bceee2ad82ba0a711ab56d1bd0f

C:\Windows\Sys\svchost.001

MD5 1ea34b65a76c886b4715529accb951c1
SHA1 877f9f7b8cf9a1ea60fa03c68cccdacc6727cfcb
SHA256 06bbe70967cb80ca6e4868700f3224ef29063d6c40c621009e29f5e49e486487
SHA512 c0920effaf0360b5ce22cddd1bcd93ac3c09eafe9362b396e8862731cb1389b891d2d7f43493ff22033282067651880ae6e8ac66e943617b3d7b1185733de18b

memory/4484-33-0x0000000002960000-0x0000000002961000-memory.dmp

memory/4484-41-0x0000000002960000-0x0000000002961000-memory.dmp